Re: [Ace] Comments draft-palombini-ace-coap-pubsub-profile-04
Francesca Palombini <francesca.palombini@ericsson.com> Mon, 08 July 2019 14:35 UTC
Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 338D4120236 for <ace@ietfa.amsl.com>; Mon, 8 Jul 2019 07:35:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id To8MTO3EwYYi for <ace@ietfa.amsl.com>; Mon, 8 Jul 2019 07:35:09 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60085.outbound.protection.outlook.com [40.107.6.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20EEA1201A0 for <ace@ietf.org>; Mon, 8 Jul 2019 07:35:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XF1F4UziWLj1leBIM+01vsiH/dWWHWZglTkQMZQau4NEvT6JqbtqQ2Oeo/BqGw9hfGGht0OUvOEfj3krFbi7y7QH8d0Q5eRPgILH3QtAIslzvg0CGuPd38XqVvaq89giWI10XH7/00fIP4cWHC4vaZYZ8a1a2QCGfk5fES3LxcdkGQxKe42snJjRA8v7r+7BRfDIxADNnlci6C0FCtqbJVxtvR486M/HuDZT+DoKHyn7/pXL9d1S62pLn2Afav62p6Zm76qb1VSFdn6dzDak7Q7ChqOreg8uLDsHcrdyBBtVowFrwHXAAVVl3JvLfCWdyqhCPS4+3EgK5ojb+bUinw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZtfqMElVrIVVpSFUUqIvwytS0cRKs4BY2CJIYtF29xY=; b=QmbrgZxyphyF2a+3mWl1wiIY70MFyXyhxIZlUCSpsW/m4ywiuToAPI2l2g8WMbN/1mLjDotC6t1F+qCacgcfzfiFwjgK7gPJON0fDrXjPECHNRAz+SSHbPBy5yvhSi/Ik9axuAZJB8xbqQ+w8YvsxVGGfKtRhbWFH6dtHDbArVxiILTouptYfWTAkzBCjtU/7cK31/OZx/fwakvLXL3I+wuWWWUrz8MqSCuYYucpQqDyYPc7VP5LUKCQzj9Iw1R4HmwHM9W/9L/eXurvnFPQePDleCDCPBJiQrguKemtpOMin/KHYLVopGWkVEyX9Nnb4gf3eQftJgadXgSanK/69Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZtfqMElVrIVVpSFUUqIvwytS0cRKs4BY2CJIYtF29xY=; b=BMaqLYP3pMp9A12EN0PXFtwSx7h3WYiQcWLVM1R2s7CqC8bh70L98yXFP7XyC0CufHXW/46TWpK3fEsYFacIOLqxiAVdI7GELudZfWSTb9Wsg2X/aK4hj0agxVVhxS7TVdfHDbgknU6Xt76NIb65W4fue9OpMqmMoL2AetysjjA=
Received: from HE1PR0701MB2746.eurprd07.prod.outlook.com (10.168.185.17) by HE1PR0701MB2442.eurprd07.prod.outlook.com (10.168.128.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.7; Mon, 8 Jul 2019 14:35:03 +0000
Received: from HE1PR0701MB2746.eurprd07.prod.outlook.com ([fe80::d958:9685:d091:3b9a]) by HE1PR0701MB2746.eurprd07.prod.outlook.com ([fe80::d958:9685:d091:3b9a%3]) with mapi id 15.20.2073.008; Mon, 8 Jul 2019 14:35:03 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Marco Tiloca <marco.tiloca@ri.se>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Comments draft-palombini-ace-coap-pubsub-profile-04
Thread-Index: AQHU7qzQFt4F2rm7+kuMJHE7mGDl7abBeNQA
Date: Mon, 08 Jul 2019 14:35:03 +0000
Message-ID: <628B690B-0D38-44F8-BDEA-CC1195F4524C@ericsson.com>
References: <7ccc6f5e-fdc2-95e2-b1b6-01f2708e0cd9@ri.se>
In-Reply-To: <7ccc6f5e-fdc2-95e2-b1b6-01f2708e0cd9@ri.se>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=francesca.palombini@ericsson.com;
x-originating-ip: [158.174.219.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9974bb7a-dcd4-4835-91b5-08d703b1771e
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR0701MB2442;
x-ms-traffictypediagnostic: HE1PR0701MB2442:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <HE1PR0701MB2442A57D04464895D4E3A82998F60@HE1PR0701MB2442.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00922518D8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(346002)(396003)(136003)(39860400002)(376002)(199004)(189003)(55674003)(53936002)(33656002)(3846002)(478600001)(6116002)(6246003)(25786009)(76116006)(66946007)(66556008)(486006)(36756003)(66574012)(2501003)(5660300002)(86362001)(64756008)(66476007)(73956011)(316002)(66446008)(6306002)(6512007)(6436002)(6486002)(229853002)(110136005)(81166006)(71200400001)(81156014)(8936002)(71190400001)(26005)(2906002)(186003)(76176011)(6506007)(102836004)(99286004)(7736002)(256004)(66066001)(68736007)(305945005)(966005)(44832011)(446003)(11346002)(14444005)(14454004)(476003)(8676002)(2616005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2442; H:HE1PR0701MB2746.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: MV19jVycKGOZwr+MD8huCFOfCIFiLgwIHORoqXw+K0PWNrLomdmxq3qDFnFuu9e/jgPbGhmi6essso5ofmSMv7ObRPKoLetxSkx3yJWOkfbLammD8lf8k79GI/G1UwPkEb6RFI8mUyreaetuowcrO55N8z2o0+iAKW+Y5neuwtjDvYqdqS1TgHrxKxZQj0OmA/D5Q5rf+Scs24iu+6q72Zp4Pl61hfH1GeoxVhiiPb5u1FKQSzUeV+Nz9I5b76pv5ZPoiYg2wxx25WsbWOqoJHdpQBCpNybrZAwG+1gF3FTmNhqfxqlkOqJenEj/zqehzm2sZWpTRknhTignefQO9gS282M7ZFFZbO0SkBMHUy2nxMFW35a6Ic+8oLH8dIeD1xL19WgLWOChs3YS3Oda2kRmzTbTmRNIGfvRtN9KPhM=
Content-Type: text/plain; charset="utf-8"
Content-ID: <428753A1AADCB24094AABBC8FCBDF659@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9974bb7a-dcd4-4835-91b5-08d703b1771e
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jul 2019 14:35:03.4883 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: francesca.palombini@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2442
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ZOJZ8k892TWP8gI3o0uh91_rVF8>
Subject: Re: [Ace] Comments draft-palombini-ace-coap-pubsub-profile-04
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jul 2019 14:35:21 -0000
Hi Marco, Thanks a lot for this review! I finally managed to include your comments and update the document, and will be posting a new version soon. You can see the PR to this update here in the meantime: https://github.com/EricssonResearch/coap-pubsub-profile/pull/2 Answers inline. Thanks, Francesca On 09/04/2019, 10:18, "Ace on behalf of Marco Tiloca" <ace-bounces@ietf.org on behalf of marco.tiloca@ri.se> wrote: Hi, Please, find below some comments on this profile. I hope it helps! Best, /Marco ------------------------ [Abstract] "This profile relies on transport layer or application layer security to authorize the publisher to the broker" is due to the current profiles of ACE, right? Otherwise, this can be (even) more general without mentioning particular layers. FP: That is correct, that is due to what profile of ACE is used. I haven't made a change here. [Section 1] Here the claimed scope is authorizing nodes, but it is actually also about key provisioning (Section 3.1) and actual communication (Section 6.1). FP: Right, I added some text about that. [Section 2] Here the claimed scope is protecting communication (in a broad sense), while it can again mention also authorizing nodes (as per ACE) and key provisioning (Section 3.1). FP: Yes, added text about that as well. I believe that the paragraph "There are four phases, ..." and the numbered list would read better if placed right before the final paragraph "Note that AS1 and AS2 ..." FP: I tried to make this change but could not split the numbered list from the following paragraph, since it talks about this exchange in particular, so I ended up not implementing this one. We can discuss more about this. [Section 3.1] I think this will also need a way for clients to agree with the AS2 on the correct format of their own public key (if they don't know already), similarly to what suggested in ace-key-groupcomm-oscore. The only type of approach that would not work is the one embedded with a Token POST, since that does not happen with AS2. FP: Right, I now specified the optional key format negociation in the document. The text says: "... the AS2 is both the AS and the KDC, ... so the Authorization Response and the Post Token message are not necessary" . Shouldn't we then have the Token POST to the KDC defined as optional already in ace-key-groupcomm ? See for instance its Figure 2. FP: No, we do not need to change that in Key groupcomm, as that would be more complicated to motivate. In the Key Distribution Request, only one role can be indicated in scope. What if a client wants to be both publisher and subscriber? This seems allowed in Section 3.3 of core-coap-pubsub . Should a client separately contact the AS2 multiple times? FP: Fixed that. In the Authorization Response, the 'profile' field can point at Section 8.1 where the profile value is defined. FP: Ok, done. In the Authorization Response, see above for the 'scope' field in case of a client that wants two roles. FP: Yes, same. [Section 4] Page 8, second bullet point, it can say "... protect the publication end-to-end with the subscribers (see Section 6.1)". FP: Ok, added [Section 5] Page 9, it can say "... keying material to verify the publication protected end-to-end with the publishers". FP: Ok, added [Section 6] It would be good to refer to core-coap-pubsub , and its usage of Observe for subscriptions. FP: Ok, added The text says: "The (F) message is ... , which is unprotected." , although Section 3 admitted the possibility of communication secured also between Broker and Subscribers. FP: that's right, I added some text about that. [Section 6.1] In the unprotected headers of the COSE object, what is used as Partial IV? FP: I added something about this, although this probably requires more thinking. [Section 8.2] The value of 'Profile' should be "coap_pubsub' , consistently with the name of the profile registered in Section 8.1. FP: Yes, this needed update. -- Marco Tiloca Ph.D., Senior Researcher RISE Research Institutes of Sweden Division ICT Isafjordsgatan 22 / Kistagången 16 SE-164 40 Kista (Sweden) Phone: +46 (0)70 60 46 501 https://www.ri.se
- [Ace] Comments draft-palombini-ace-coap-pubsub-pr… Marco Tiloca
- Re: [Ace] Comments draft-palombini-ace-coap-pubsu… Francesca Palombini